doc: prefer to sign commits under nodejs repository

[RafaelGSS]

Although not required, I think adding this as a "recommended" is a good thing.

cc: @aduh95

[nodejs-github-bot]

Review requested:

• @nodejs/tsc

[RafaelGSS]

IIRC commit-queue does sign commits by default. But, in terms of creating releases, sometimes we forget to enforce this policy in backports, leading to some inconsistencies (as Antoine seen when we paired 😄)

[legendecas]

commit-queue does not sign if it is commit-queue-rebase, e.g. #57121

[tniessen]

FWIW, there have been multiple discussions about this in the past, and the benefit was generally considered marginal (see, for example, #15457, which would have made signing mandatory). That being said, I am not strictly opposed to this idea (and for a while I did sign my commits in this repository).

[joyeecheung]

I think this is only relevant for those who push directly to branches in the repository? For people who will probably never push directly to the repository (I guess most collaborators don't these days) it's not as relevant.

[jasnell]

If there isn't one already in this document, including a link to documentation on how to use commit.gpgsign would be helpful to newcomers.

[aduh95]

Recommending signatures is certainly fine, but I don't think it would be relevant to most contributors. Signatures are only really useful for things that require trust (e.g. unreviewed backports, release promotion), and are nice-to-have everywhere else on nodejs/node, and IMO barely relevant for PRs (which is what most contributors will ever do).

[RafaelGSS]

Yes, this is non-relevant for most of the contributors but Node.js releasers or anyone that attempts to backport a commit manually. Still, it's an optional recommendation, I'm fine either way.

[UlisesGascon]

I think is a great recommendation, specially for releasers as we do some changed in the git history and our signatures can be verified (see)

Also worth mention that signature verification requires an extra step on GitHub commiter's side if we want to achieve the visual verification (ref):

[aduh95]

We should consider making this recommendation on the ONBOARDING.md of nodejs/Release, and maybe reword it to ensure we're not setting a bar too high for newcomers:

Suggested change

	* It is recommended to sign all commits under the Node.js repository.
	Run: `git config commit.gpgsign true` inside the `node` folder.
	* Consider configuring git to sign all commits when working on the Node.js repository.
	Run: `git config commit.gpgsign true` inside the `node` folder.

[targos]

I fear that whatever the wording, people are going to run the command, and later they will be confused as their git commit fail because of the missing signing key.

[joyeecheung]

Can it start with "if you have a GPG key set up locally that matches the email you use to contribute to Node.js" so that people who do not know what it is will skip it?

[richardlau]

FWIW there are multiple methods of signing commits with git. GitHub supports (i.e. can displayed "Verified") GPG, SSH, or S/MIME signatures.

For the release team we've recommend GPG keys, but this documentation is aimed at a broader audience (collaborators).